This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 152897 - CAN-2005-0089 python SimpleXMLRPCServer security issue
CAN-2005-0089 python SimpleXMLRPCServer security issue
Status: CLOSED DUPLICATE of bug 169235
Product: Fedora Legacy
Classification: Retired
Component: python (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY, NEEDSWORK, rh73, rh90
: Security
Depends On: 169235
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 13:55 EST by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-28 02:51:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:31:21 EST
The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers.  This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can
allow them to access or change function internals using the im_* and
func_* attributes.

Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089
https://bugzilla.redhat.com/beta/show_bug.cgi?id=146645



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2421 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2421
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Michal Jaegermann 2005-09-26 02:00:14 EDT
Corresponding fixed Python packages were annouced in
http://rhn.redhat.com/errata/RHSA-2005-109.html which has classification
"Important".
Comment 2 Michal Jaegermann 2005-09-26 18:26:47 EDT
There is a package for RH7.3 at
ftp://ftp.harddata.com/pub/Legacy_packages/python2-2.2.2-11.7.3.1.legacy.src.rpm

These sources include a fix for CAN-2005-0089, and also for other SSL security
issues (lifted from updates to RHEL) and a fix for pcre issues (CAN-2005-2491,
#169235).

Neither python-1.5.2-... packages, nor python-xmlrpc-1.5.1-7.x.3, for RH7.3
seem to be affected by CAN-2005-0089.  It does not look that the code in
question, or something similar, is there.

For other distributions it seems that a fix for CAN-2005-0089 will be
either the same or very similar as applied here.  In any case a code from
corresponding RHEL update sources will apply.
Comment 3 David Eisenstein 2005-09-27 02:14:15 EDT
(Michal and Jim - hope you don't mind my adding you to the cc: for this bug.)

Since Michal has proposed the python2-2.2.2-11.7.3.1.legacy.src.rpm packages as
a fix not only for the this bug report's issue, but also for the CAN-2005-2491
pcre issue (handled in Bug #169235), I suggest we re-title 169235 to be
"CAN-2005-0089 CAN-2005-2491 python multiple security issues" and continue all
work on CAN-2005-0089 there.  We can make this bug report's success depend on
that one.

That way we can track all of python's pending security issues in one bug report
rather than two.  Would you mind changing the title of 169235, Jim?
Comment 4 Jim Popovitch 2005-09-27 11:05:47 EDT
David, Thank you for adding me to this bug.  For the record I would rather be
added than deleted. ;-)

I have renamed 169235 as you proposed.
Comment 5 Pekka Savola 2005-09-28 02:51:44 EDT
I'm closing this bug if we continue tracking on #169235.

*** This bug has been marked as a duplicate of 169235 ***

Note You need to log in before you can comment on or make changes to this bug.